Snort mailing list archives

Previous By Date Next
Previous By Thread Next

[OT] - RE: Repost: resp:rst_all not working

From: <bmcdowell () coxhealthplans com>
Date: Fri, 5 Mar 2004 14:53:36 -0600

Please add to the drinking game:

If Matt Kettler lets a question about flexresponse question go by
without explaining why TCP resets are a bad idea - take 10 drinks.

(Just giving him a hard time, of course.  But you can probably set your
watch by the lag between such a question and the inevitable response...)

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Matt
Kettler
Sent: Friday, March 05, 2004 10:43 AM
To: Venkata Raghavan; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Repost: resp:rst_all not working


At 04:00 AM 3/5/2004, Venkata Raghavan wrote:

alert tcp any any -> $HOME_NET 25 (msg:"SMTP Rule Testing"; 
flow:to_server,established; content:"test"; nocase;resp: rst_all;)
After this, when I lauch an telnet (port 25) session to an SMTP server 
from my  windows client, the alert gets generated. But there is no

reset. 

Then I tried the
telnet from a linux PC - this time it gets reset.
WHen I check the packets sent using ethereal, I observe that whereas

from 

a windows PC the data "test" comes as four packets, from a linux PC

"test" 

comes as a data of
single packet. I guess this is a problem with the WinXP version of 
Telnet  client.


None of this is a problem in a telnet client Technicaly the windows XP
one 
is doing the right thing and disabling nagle..

The reason it's "not working" is you're just unaware of the limitations
of 
tcp resets.

1) tcp reset is a race between snort and the host that you aren't
sending a 
reset to. Whoever gets the packet to the host snort is trying to reset
wins 
the race.

2) flexresp is only likely to win this race if there's a significant 
latency somewhere between the hosts you are desynchronizing.  tcp resets

work VERY poorly within a lan.

3) It's pointless to send resets to an attacker. If they are smart,
they'll 
be filtering them. Reset your local server or client instead. Rst_all 
doesn't hurt, but realize that the one sent to the attack originator
won't 
do much good unless the attacker is automated or stupid.

4) Smart attackers can generally evade flexresp by cheating and starting

the race early. non-nagled tcp connections (ie: telnet) are actually
likely 
to evade it by the natural patterns of their traffic. Flexresp2 makes
this 
harder, and will generally deal with nagle issues, but a clever attacker

can still have some chance of winning regardless.










-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: